Why SOTIF (ISO/PAS 21448) Is Key For Safety in Autonomous Driving

Artificial intelligence (AI) and machine learning play key roles in the development of autonomous vehicles.

But there are new safety challenges that face the teams developing software for autonomous (and semi-autonomous) vehicles.

That’s why a new ISO standard was recently published.

What Is SOTIF?

SOTIF is safety of the intended functionality. It’s the shorthand for the new ISO/PAS 21448 standard.

ISO/PAS 21448: Road Vehicles — Safety of the Intended Functionality

ISO/PAS 21448 applies to functionality that requires proper situational awareness in order to be safe. The standard is concerned with guaranteeing safety of the intended functionality — SOTIF — in the absence of a fault. This is in contrast with traditional functional safety, which is concerned with mitigating risk due to system failure.

SOTIF provides guidance on design, verification, and validation measures. Applying these measures helps you achieve safety in situations without failure.

Here are some examples that SOTIF provides:

Design measure example: requirement for sensor performance.

Verification measure example: test cases with high coverage of scenarios.

ISO/PAS 21448: Relationship to ISO 26262

ISO 26262 covers functional safety in the event of system failures. It doesn’t cover safety hazards that result without system failure. That’s why ISO/PAS 21448 is necessary.

In fact, ISO/PAS 21448 was originally intended to be ISO 26262: Part 14. Because ensuring safety in situations without a system failure is so complicated, SOTIF is now a standard on its own.

ISO 26262 vs. ISO/PAS 21448

ISO 26262 still applies to existing, established systems — such as dynamic stability control (DSC) systems or airbags. For these systems, safety is ensured by mitigating the risk of system failure.

ISO/PAS 21448 applies to systems such as emergency intervention systems and advanced driver assistance systems. This systems could have safety hazards — without system failure.

So, ISO/PAS 21448 complements ISO 26262.

Why SOTIF Is Important

Verifying automated systems is difficult.

Automated systems have huge volumes of data — and that data is fed to complex algorithms. AI and machine learning are critical for developing these systems.

To avoid potential safety hazards, AI will need to make decisions. This includes scenarios that require situational awareness.

Using SOTIF will be key to ensure that AI is able to make decisions and avoid safety hazards.

Example: Where SOTIF Applies

SOTIF applies to safety violations that occur without the failure of a system.

Here’s an example of situational awareness.

The road is icy. An AI-based system might be unable to comprehend the situation — and respond properly. This impacts the vehicle’s ability to operate safely. Without sensing the icy road condition, a self-driving vehicle might drive at a faster speed than is safe for the condition. Fulfilling SOTIF means taking that situation into account and making decisions based on probability.

The goal of SOTIF is to reduce potential unknown, unsafe conditions. However, that definition is very broad. And it’s difficult to show that you’ve accounted for all potential edge cases.

Richard Bellairs

Product Marketing Manager, Perforce

Richard Bellairs has 20+ years of experience across a wide range of industries. He held electronics and software engineering positions in the manufacturing, defense, and test and measurement industries in the nineties and early noughties before moving to product management and product marketing. He now champions Perforce’s market-leading code quality management solution. Richard holds a bachelor’s degree in electronic engineering from the University of Sheffield and a professional diploma in marketing from the Chartered Institute of Marketing (CIM).